From 5f9ae7699b9cfa6649ef927cc8f006c052735a9c Mon Sep 17 00:00:00 2001 From: Humair Khan Date: Mon, 27 May 2024 18:32:12 -0400 Subject: [PATCH] chore update func tests for tls changes Signed-off-by: Humair Khan --- api/v1alpha1/dspipeline_types.go | 7 +- api/v1alpha1/zz_generated.deepcopy.go | 5 + ...b.io_datasciencepipelinesapplications.yaml | 12 +- .../mlpipelines-ui/deployment.yaml.tmpl | 4 +- .../persistence-agent/deployment.yaml.tmpl | 2 + controllers/dspipeline_params.go | 14 +- .../created/mlpipelines-ui_deployment.yaml | 4 +- .../created/mlpipelines-ui_deployment.yaml | 4 +- .../created/mlpipelines-ui_deployment.yaml | 4 +- .../created/apiserver_deployment.yaml | 37 ++-- .../created/apiserver_deployment.yaml | 37 ++-- .../created/mlpipelines-ui_deployment.yaml | 8 +- .../created/persistence-agent_deployment.yaml | 2 + .../created/apiserver_deployment.yaml | 37 ++-- .../testdata/declarative/case_9/config.yaml | 14 ++ .../declarative/case_9/deploy/00_cr.yaml | 22 ++ .../created/apiserver_deployment.yaml | 194 ++++++++++++++++++ .../created/mlpipelines-ui_deployment.yaml | 171 +++++++++++++++ .../created/persistence-agent_deployment.yaml | 89 ++++++++ tests/resources/dspa-external-lite.yaml | 1 + tests/resources/dspa-lite.yaml | 1 + 21 files changed, 583 insertions(+), 86 deletions(-) create mode 100644 controllers/testdata/declarative/case_9/config.yaml create mode 100644 controllers/testdata/declarative/case_9/deploy/00_cr.yaml create mode 100644 controllers/testdata/declarative/case_9/expected/created/apiserver_deployment.yaml create mode 100644 controllers/testdata/declarative/case_9/expected/created/mlpipelines-ui_deployment.yaml create mode 100644 controllers/testdata/declarative/case_9/expected/created/persistence-agent_deployment.yaml diff --git a/api/v1alpha1/dspipeline_types.go b/api/v1alpha1/dspipeline_types.go index 21b5937f4..77040ac77 100644 --- a/api/v1alpha1/dspipeline_types.go +++ b/api/v1alpha1/dspipeline_types.go @@ -45,9 +45,10 @@ type DSPASpec struct { // +kubebuilder:default:="v1" DSPVersion string `json:"dspVersion,omitempty"` - // InterPodTLS Set to "enable" or "disable" tls communication between DSPA components. Default to "enable". Only supported in OpenShift. - // +kubebuilder:default:="enabled" - InterPodTLS string `json:"InterPodTLS,omitempty"` + // InterPodTLS Set to "true" or "false" tls communication between DSPA components. Default to enable Inter-Pod tls by setting to "true". Only supported in DSP V2 and OpenShift. + // +kubebuilder:default:=true + // +kubebuilder:validation:Optional + InterPodTLS *bool `json:"interPodTLS"` // WorkflowController is an argo-specific component that manages a DSPA's Workflow objects and handles the orchestration of them with the central Argo server // +kubebuilder:validation:Optional diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index d918f712d..d616e4e1c 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -114,6 +114,11 @@ func (in *DSPASpec) DeepCopyInto(out *DSPASpec) { *out = new(MLMD) (*in).DeepCopyInto(*out) } + if in.InterPodTLS != nil { + in, out := &in.InterPodTLS, &out.InterPodTLS + *out = new(bool) + **out = **in + } if in.WorkflowController != nil { in, out := &in.WorkflowController, &out.WorkflowController *out = new(WorkflowController) diff --git a/config/crd/bases/datasciencepipelinesapplications.opendatahub.io_datasciencepipelinesapplications.yaml b/config/crd/bases/datasciencepipelinesapplications.opendatahub.io_datasciencepipelinesapplications.yaml index dae078f5c..b7577a8e7 100644 --- a/config/crd/bases/datasciencepipelinesapplications.opendatahub.io_datasciencepipelinesapplications.yaml +++ b/config/crd/bases/datasciencepipelinesapplications.opendatahub.io_datasciencepipelinesapplications.yaml @@ -35,12 +35,6 @@ spec: type: object spec: properties: - InterPodTLS: - default: enabled - description: InterPodTLS Set to "enable" or "disable" tls communication - between DSPA components. Default to "enable". Only supported in - OpenShift. - type: string apiServer: default: deploy: true @@ -347,6 +341,12 @@ spec: dspVersion: default: v1 type: string + interPodTLS: + default: true + description: InterPodTLS Set to "true" or "false" tls communication + between DSPA components. Default to enable Inter-Pod tls by setting + to "true". Only supported in DSP V2 and OpenShift. + type: boolean mlmd: properties: deploy: diff --git a/config/internal/mlpipelines-ui/deployment.yaml.tmpl b/config/internal/mlpipelines-ui/deployment.yaml.tmpl index dd865237a..05e6201bc 100644 --- a/config/internal/mlpipelines-ui/deployment.yaml.tmpl +++ b/config/internal/mlpipelines-ui/deployment.yaml.tmpl @@ -46,8 +46,6 @@ spec: value: "true" - name: ML_PIPELINE_SERVICE_HOST value: {{.APIServerServiceDNSName}} - - name: DISABLE_GKE_METADATA - value: 'true' - name: ML_PIPELINE_SERVICE_PORT value: '8888' {{ if .InterPodTLS }} @@ -78,6 +76,8 @@ spec: - name: AWS_SSL value: "false" {{ end }} + - name: DISABLE_GKE_METADATA + value: 'true' image: {{.MlPipelineUI.Image}} imagePullPolicy: IfNotPresent livenessProbe: diff --git a/config/internal/persistence-agent/deployment.yaml.tmpl b/config/internal/persistence-agent/deployment.yaml.tmpl index 818450ace..155834fb9 100644 --- a/config/internal/persistence-agent/deployment.yaml.tmpl +++ b/config/internal/persistence-agent/deployment.yaml.tmpl @@ -40,8 +40,10 @@ spec: {{ else }} value: PipelineRun {{ end }} + {{ if .InterPodTLS }} - name: SSL_CERT_DIR value: "/etc/pki/tls/certs:/var/run/secrets/kubernetes.io/serviceaccount/" + {{ end }} image: "{{.PersistenceAgent.Image}}" imagePullPolicy: IfNotPresent name: ds-pipeline-persistenceagent diff --git a/controllers/dspipeline_params.go b/controllers/dspipeline_params.go index 94816f223..b9a5e4a9e 100644 --- a/controllers/dspipeline_params.go +++ b/controllers/dspipeline_params.go @@ -87,7 +87,7 @@ type DSPAParams struct { CustomCABundle *dspa.CABundle DSPONamespace string // Use to enable tls communication between component pods. - InterPodTLS string + InterPodTLS bool APIServerServiceDNSName string } @@ -578,7 +578,6 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip p.Namespace = dsp.Namespace p.DSPONamespace = os.Getenv("DSPO_NAMESPACE") p.DSPVersion = dsp.Spec.DSPVersion - p.InterPodTLS = dsp.Spec.InterPodTLS p.Owner = dsp p.APIServer = dsp.Spec.APIServer.DeepCopy() p.APIServerDefaultResourceName = apiServerDefaultResourceNamePrefix + dsp.Name @@ -595,8 +594,19 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip p.MLMD = dsp.Spec.MLMD.DeepCopy() p.CustomCABundleRootMountPath = config.CustomCABundleRootMountPath p.PiplinesCABundleMountPath = config.GetCABundleFileMountPath() + p.InterPodTLS = false dspTrustedCAConfigMapKey := config.CustomDSPTrustedCAConfigMapKey + // InterPodTLS is only used in v2 dsp + if p.UsingV2Pipelines(dsp) { + // by default it's enabled when omitted + if dsp.Spec.InterPodTLS == nil { + p.InterPodTLS = true + } else { + p.InterPodTLS = *dsp.Spec.InterPodTLS + } + } + log := loggr.WithValues("namespace", p.Namespace).WithValues("dspa_name", p.Name) if p.APIServer != nil { diff --git a/controllers/testdata/declarative/case_2/expected/created/mlpipelines-ui_deployment.yaml b/controllers/testdata/declarative/case_2/expected/created/mlpipelines-ui_deployment.yaml index 1cf56c112..444851cc5 100644 --- a/controllers/testdata/declarative/case_2/expected/created/mlpipelines-ui_deployment.yaml +++ b/controllers/testdata/declarative/case_2/expected/created/mlpipelines-ui_deployment.yaml @@ -46,7 +46,7 @@ spec: - name: ARGO_ARCHIVE_LOGS value: "true" - name: ML_PIPELINE_SERVICE_HOST - value: ds-pipeline-testdsp2 + value: ds-pipeline-testdsp2.default.svc.cluster.local - name: ML_PIPELINE_SERVICE_PORT value: '8888' - name: METADATA_ENVOY_SERVICE_SERVICE_HOST @@ -69,6 +69,8 @@ spec: value: "minio-testdsp2.default.svc.cluster.local" - name: AWS_SSL value: "false" + - name: DISABLE_GKE_METADATA + value: 'true' image: frontend:test2 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/controllers/testdata/declarative/case_4/expected/created/mlpipelines-ui_deployment.yaml b/controllers/testdata/declarative/case_4/expected/created/mlpipelines-ui_deployment.yaml index f54c405fa..1b7597019 100644 --- a/controllers/testdata/declarative/case_4/expected/created/mlpipelines-ui_deployment.yaml +++ b/controllers/testdata/declarative/case_4/expected/created/mlpipelines-ui_deployment.yaml @@ -46,7 +46,7 @@ spec: - name: ARGO_ARCHIVE_LOGS value: "true" - name: ML_PIPELINE_SERVICE_HOST - value: ds-pipeline-testdsp4 + value: ds-pipeline-testdsp4.default.svc.cluster.local - name: ML_PIPELINE_SERVICE_PORT value: '8888' - name: METADATA_ENVOY_SERVICE_SERVICE_HOST @@ -69,6 +69,8 @@ spec: value: "minio-testdsp4.default.svc.cluster.local" - name: AWS_SSL value: "false" + - name: DISABLE_GKE_METADATA + value: 'true' image: this-frontend-image-from-cr-should-be-used:test4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/controllers/testdata/declarative/case_5/expected/created/mlpipelines-ui_deployment.yaml b/controllers/testdata/declarative/case_5/expected/created/mlpipelines-ui_deployment.yaml index 83dd546b0..abec9309d 100644 --- a/controllers/testdata/declarative/case_5/expected/created/mlpipelines-ui_deployment.yaml +++ b/controllers/testdata/declarative/case_5/expected/created/mlpipelines-ui_deployment.yaml @@ -46,7 +46,7 @@ spec: - name: ARGO_ARCHIVE_LOGS value: "true" - name: ML_PIPELINE_SERVICE_HOST - value: ds-pipeline-testdsp5 + value: ds-pipeline-testdsp5.default.svc.cluster.local - name: ML_PIPELINE_SERVICE_PORT value: '8888' - name: METADATA_ENVOY_SERVICE_SERVICE_HOST @@ -69,6 +69,8 @@ spec: value: "minio-testdsp5.default.svc.cluster.local" - name: AWS_SSL value: "false" + - name: DISABLE_GKE_METADATA + value: 'true' image: frontend:test5 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/controllers/testdata/declarative/case_6/expected/created/apiserver_deployment.yaml b/controllers/testdata/declarative/case_6/expected/created/apiserver_deployment.yaml index 0b09dc9c5..d10ec0d31 100644 --- a/controllers/testdata/declarative/case_6/expected/created/apiserver_deployment.yaml +++ b/controllers/testdata/declarative/case_6/expected/created/apiserver_deployment.yaml @@ -115,6 +115,8 @@ spec: args: - --config=/config - -logtostderr=true + - --tlsCertPath=/etc/tls/private/tls.crt + - --tlsCertKeyPath=/etc/tls/private/tls.key ports: - containerPort: 8888 name: http @@ -123,29 +125,15 @@ spec: name: grpc protocol: TCP livenessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS readinessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS resources: requests: cpu: 250m @@ -157,6 +145,8 @@ spec: - name: server-config mountPath: /config/config.json subPath: config.json + - mountPath: /etc/tls/private + name: proxy-tls - name: ca-bundle mountPath: /dspa/custom-certs - name: oauth-proxy @@ -164,7 +154,8 @@ spec: - --https-address=:8443 - --provider=openshift - --openshift-service-account=ds-pipeline-testdsp6 - - --upstream=http://localhost:8888 + - --upstream=https://ds-pipeline-testdsp6.default.svc.cluster.local:8888 + - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --cookie-secret=SECRET diff --git a/controllers/testdata/declarative/case_7/expected/created/apiserver_deployment.yaml b/controllers/testdata/declarative/case_7/expected/created/apiserver_deployment.yaml index 2bbee637a..999511351 100644 --- a/controllers/testdata/declarative/case_7/expected/created/apiserver_deployment.yaml +++ b/controllers/testdata/declarative/case_7/expected/created/apiserver_deployment.yaml @@ -108,6 +108,8 @@ spec: - --config=/config - -logtostderr=true - --sampleconfig=/config/sample_config.json + - --tlsCertPath=/etc/tls/private/tls.crt + - --tlsCertKeyPath=/etc/tls/private/tls.key ports: - containerPort: 8888 name: http @@ -116,29 +118,15 @@ spec: name: grpc protocol: TCP livenessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS readinessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS resources: requests: cpu: 1231m @@ -150,6 +138,8 @@ spec: - name: server-config mountPath: /config/config.json subPath: config.json + - mountPath: /etc/tls/private + name: proxy-tls - mountPath: /config/sample_config.json name: sample-config subPath: sample_config.json @@ -160,7 +150,8 @@ spec: - --https-address=:8443 - --provider=openshift - --openshift-service-account=ds-pipeline-testdsp7 - - --upstream=http://localhost:8888 + - --upstream=https://ds-pipeline-testdsp7.default.svc.cluster.local:8888 + - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --cookie-secret=SECRET diff --git a/controllers/testdata/declarative/case_7/expected/created/mlpipelines-ui_deployment.yaml b/controllers/testdata/declarative/case_7/expected/created/mlpipelines-ui_deployment.yaml index a3215a5be..560283963 100644 --- a/controllers/testdata/declarative/case_7/expected/created/mlpipelines-ui_deployment.yaml +++ b/controllers/testdata/declarative/case_7/expected/created/mlpipelines-ui_deployment.yaml @@ -46,9 +46,13 @@ spec: - name: ARGO_ARCHIVE_LOGS value: "true" - name: ML_PIPELINE_SERVICE_HOST - value: ds-pipeline-testdsp7 + value: ds-pipeline-testdsp7.default.svc.cluster.local - name: ML_PIPELINE_SERVICE_PORT value: '8888' + - name: ML_PIPELINE_SERVICE_SCHEME + value: 'https' + - name: NODE_EXTRA_CA_CERTS + value: '/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt' - name: METADATA_ENVOY_SERVICE_SERVICE_HOST value: ds-pipeline-md-testdsp7 - name: METADATA_ENVOY_SERVICE_SERVICE_PORT @@ -69,6 +73,8 @@ spec: value: "minio-testdsp7.default.svc.cluster.local" - name: AWS_SSL value: "false" + - name: DISABLE_GKE_METADATA + value: 'true' image: frontend:test7 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/controllers/testdata/declarative/case_7/expected/created/persistence-agent_deployment.yaml b/controllers/testdata/declarative/case_7/expected/created/persistence-agent_deployment.yaml index abcb70d3e..a19952843 100644 --- a/controllers/testdata/declarative/case_7/expected/created/persistence-agent_deployment.yaml +++ b/controllers/testdata/declarative/case_7/expected/created/persistence-agent_deployment.yaml @@ -36,6 +36,8 @@ spec: value: "" - name: EXECUTIONTYPE value: Workflow + - name: SSL_CERT_DIR + value: "/etc/pki/tls/certs:/var/run/secrets/kubernetes.io/serviceaccount/" image: persistenceagent:test7 imagePullPolicy: IfNotPresent name: ds-pipeline-persistenceagent diff --git a/controllers/testdata/declarative/case_8/expected/created/apiserver_deployment.yaml b/controllers/testdata/declarative/case_8/expected/created/apiserver_deployment.yaml index 4b94b262b..540d1dc7b 100644 --- a/controllers/testdata/declarative/case_8/expected/created/apiserver_deployment.yaml +++ b/controllers/testdata/declarative/case_8/expected/created/apiserver_deployment.yaml @@ -115,6 +115,8 @@ spec: args: - --config=/config - -logtostderr=true + - --tlsCertPath=/etc/tls/private/tls.crt + - --tlsCertKeyPath=/etc/tls/private/tls.key ports: - containerPort: 8888 name: http @@ -123,29 +125,15 @@ spec: name: grpc protocol: TCP livenessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS readinessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS resources: requests: cpu: 250m @@ -157,6 +145,8 @@ spec: - name: server-config mountPath: /config/config.json subPath: config.json + - mountPath: /etc/tls/private + name: proxy-tls - name: ca-bundle mountPath: /dsp-custom-certs - name: oauth-proxy @@ -164,7 +154,8 @@ spec: - --https-address=:8443 - --provider=openshift - --openshift-service-account=ds-pipeline-testdsp8 - - --upstream=http://localhost:8888 + - --upstream=https://ds-pipeline-testdsp8.default.svc.cluster.local:8888 + - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --cookie-secret=SECRET diff --git a/controllers/testdata/declarative/case_9/config.yaml b/controllers/testdata/declarative/case_9/config.yaml new file mode 100644 index 000000000..dbcd4d0d9 --- /dev/null +++ b/controllers/testdata/declarative/case_9/config.yaml @@ -0,0 +1,14 @@ +Images: + MlPipelineUI: frontend:test9 + MariaDB: mariadb:test9 + Minio: minio:test9 + OAuthProxy: oauth-proxy:test9 +ImagesV2: + Argo: + ApiServer: api-server:test9 + ArgoLauncherImage: argolauncherimage:test9 + ArgoDriverImage: argodriverimage:test9 + PersistentAgent: persistenceagent:test9 +DSPO: + ApiServer: + IncludeOwnerReference: false diff --git a/controllers/testdata/declarative/case_9/deploy/00_cr.yaml b/controllers/testdata/declarative/case_9/deploy/00_cr.yaml new file mode 100644 index 000000000..9eb1b4ce2 --- /dev/null +++ b/controllers/testdata/declarative/case_9/deploy/00_cr.yaml @@ -0,0 +1,22 @@ +# Test: +# interPodTLS = false, should disable any tls configs for apiserver, pa, and kfp ui +apiVersion: datasciencepipelinesapplications.opendatahub.io/v1alpha1 +kind: DataSciencePipelinesApplication +metadata: + name: testdsp9 +spec: + dspVersion: v2 + interPodTLS: false + objectStorage: + minio: + image: minio:test9 + database: + mariaDB: + deploy: true + mlpipelineUI: + deploy: true + image: frontend:test9 + apiServer: + deploy: true + enableOauth: true + enableSamplePipeline: false diff --git a/controllers/testdata/declarative/case_9/expected/created/apiserver_deployment.yaml b/controllers/testdata/declarative/case_9/expected/created/apiserver_deployment.yaml new file mode 100644 index 000000000..ba534e8e5 --- /dev/null +++ b/controllers/testdata/declarative/case_9/expected/created/apiserver_deployment.yaml @@ -0,0 +1,194 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ds-pipeline-testdsp9 + namespace: default + labels: + app: ds-pipeline-testdsp9 + component: data-science-pipelines + dspa: testdsp9 +spec: + selector: + matchLabels: + app: ds-pipeline-testdsp9 + component: data-science-pipelines + dspa: testdsp9 + template: + metadata: + labels: + app: ds-pipeline-testdsp9 + component: data-science-pipelines + dspa: testdsp9 + spec: + containers: + - env: + - name: POD_NAMESPACE + value: "default" + - name: DBCONFIG_USER + value: "mlpipeline" + - name: DBCONFIG_PASSWORD + valueFrom: + secretKeyRef: + key: "password" + name: "ds-pipeline-db-testdsp9" + - name: DBCONFIG_DBNAME + value: "mlpipeline" + - name: DBCONFIG_HOST + value: "mariadb-testdsp9.default.svc.cluster.local" + - name: DBCONFIG_PORT + value: "3306" + - name: AUTO_UPDATE_PIPELINE_DEFAULT_VERSION + value: "true" + - name: DBCONFIG_CONMAXLIFETIMESEC + value: "120" + - name: ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_HOST + value: "ds-pipeline-visualizationserver" + - name: ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_PORT + value: "8888" + - name: OBJECTSTORECONFIG_CREDENTIALSSECRET + value: "ds-pipeline-s3-testdsp9" + - name: OBJECTSTORECONFIG_CREDENTIALSACCESSKEYKEY + value: "accesskey" + - name: OBJECTSTORECONFIG_CREDENTIALSSECRETKEYKEY + value: "secretkey" + - name: DEFAULTPIPELINERUNNERSERVICEACCOUNT + value: "pipeline-runner-testdsp9" + - name: OBJECTSTORECONFIG_BUCKETNAME + value: "mlpipeline" + - name: OBJECTSTORECONFIG_ACCESSKEY + valueFrom: + secretKeyRef: + key: "accesskey" + name: "ds-pipeline-s3-testdsp9" + - name: OBJECTSTORECONFIG_SECRETACCESSKEY + valueFrom: + secretKeyRef: + key: "secretkey" + name: "ds-pipeline-s3-testdsp9" + - name: OBJECTSTORECONFIG_SECURE + value: "false" + - name: MINIO_SERVICE_SERVICE_HOST + value: "minio-testdsp9.default.svc.cluster.local" + - name: MINIO_SERVICE_SERVICE_PORT + value: "9000" + - name: V2_LAUNCHER_IMAGE + value: "argolauncherimage:test9" + - name: V2_DRIVER_IMAGE + value: "argodriverimage:test9" + - name: METADATA_GRPC_SERVICE_SERVICE_HOST + value: "ds-pipeline-metadata-grpc-testdsp9.default.svc.cluster.local" + - name: METADATA_GRPC_SERVICE_SERVICE_PORT + value: "8080" + - name: ML_PIPELINE_SERVICE_HOST + value: ds-pipeline-testdsp9.default.svc.cluster.local + - name: ML_PIPELINE_SERVICE_PORT_GRPC + value: "8887" + - name: EXECUTIONTYPE + value: Workflow + - name: DB_DRIVER_NAME + value: mysql + - name: DBCONFIG_MYSQLCONFIG_USER + value: mlpipeline + - name: DBCONFIG_MYSQLCONFIG_PASSWORD + valueFrom: + secretKeyRef: + key: "password" + name: "ds-pipeline-db-testdsp9" + - name: DBCONFIG_MYSQLCONFIG_DBNAME + value: "mlpipeline" + - name: DBCONFIG_MYSQLCONFIG_HOST + value: "mariadb-testdsp9.default.svc.cluster.local" + - name: DBCONFIG_MYSQLCONFIG_PORT + value: "3306" + image: api-server:test9 + imagePullPolicy: Always + name: ds-pipeline-api-server + command: ['/bin/apiserver'] + args: + - --config=/config + - -logtostderr=true + ports: + - containerPort: 8888 + name: http + protocol: TCP + - containerPort: 8887 + name: grpc + protocol: TCP + livenessProbe: + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS + readinessProbe: + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS + resources: + requests: + cpu: 250m + memory: 500Mi + limits: + cpu: 500m + memory: 1Gi + volumeMounts: + - name: server-config + mountPath: /config/config.json + subPath: config.json + - name: oauth-proxy + args: + - --https-address=:8443 + - --provider=openshift + - --openshift-service-account=ds-pipeline-testdsp9 + - --upstream=http://localhost:8888 + - --tls-cert=/etc/tls/private/tls.crt + - --tls-key=/etc/tls/private/tls.key + - --cookie-secret=SECRET + - '--openshift-delegate-urls={"/": {"group":"route.openshift.io","resource":"routes","verb":"get","name":"ds-pipeline-testdsp9","namespace":"default"}}' + - '--openshift-sar={"namespace":"default","resource":"routes","resourceName":"ds-pipeline-testdsp9","verb":"get","resourceAPIGroup":"route.openshift.io"}' + - --skip-auth-regex='(^/metrics|^/apis/v1beta1/healthz)' + image: oauth-proxy:test9 + ports: + - containerPort: 8443 + name: oauth + protocol: TCP + livenessProbe: + httpGet: + path: /oauth/healthz + port: oauth + scheme: HTTPS + initialDelaySeconds: 30 + timeoutSeconds: 1 + periodSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /oauth/healthz + port: oauth + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 256Mi + volumeMounts: + - mountPath: /etc/tls/private + name: proxy-tls + volumes: + - name: proxy-tls + secret: + secretName: ds-pipelines-proxy-tls-testdsp9 + defaultMode: 420 + - name: server-config + configMap: + name: ds-pipeline-server-config-testdsp9 + defaultMode: 420 + serviceAccountName: ds-pipeline-testdsp9 diff --git a/controllers/testdata/declarative/case_9/expected/created/mlpipelines-ui_deployment.yaml b/controllers/testdata/declarative/case_9/expected/created/mlpipelines-ui_deployment.yaml new file mode 100644 index 000000000..a34edeb0f --- /dev/null +++ b/controllers/testdata/declarative/case_9/expected/created/mlpipelines-ui_deployment.yaml @@ -0,0 +1,171 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ds-pipeline-ui-testdsp9 + namespace: default + labels: + app: ds-pipeline-ui-testdsp9 + component: data-science-pipelines + dspa: testdsp9 +spec: + selector: + matchLabels: + app: ds-pipeline-ui-testdsp9 + component: data-science-pipelines + dspa: testdsp9 + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + labels: + app: ds-pipeline-ui-testdsp9 + component: data-science-pipelines + dspa: testdsp9 + spec: + containers: + - env: + - name: VIEWER_TENSORBOARD_POD_TEMPLATE_SPEC_PATH + value: /etc/config/viewer-pod-template.json + - name: MINIO_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: MINIO_ACCESS_KEY + valueFrom: + secretKeyRef: + key: "accesskey" + name: "ds-pipeline-s3-testdsp9" + - name: MINIO_SECRET_KEY + valueFrom: + secretKeyRef: + key: "secretkey" + name: "ds-pipeline-s3-testdsp9" + - name: ALLOW_CUSTOM_VISUALIZATIONS + value: "true" + - name: ARGO_ARCHIVE_LOGS + value: "true" + - name: ML_PIPELINE_SERVICE_HOST + value: ds-pipeline-testdsp9.default.svc.cluster.local + - name: ML_PIPELINE_SERVICE_PORT + value: '8888' + - name: METADATA_ENVOY_SERVICE_SERVICE_HOST + value: ds-pipeline-md-testdsp9 + - name: METADATA_ENVOY_SERVICE_SERVICE_PORT + value: "9090" + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: "accesskey" + name: "ds-pipeline-s3-testdsp9" + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: "secretkey" + name: "ds-pipeline-s3-testdsp9" + - name: AWS_REGION + value: "minio" + - name: AWS_S3_ENDPOINT + value: "minio-testdsp9.default.svc.cluster.local" + - name: AWS_SSL + value: "false" + - name: DISABLE_GKE_METADATA + value: 'true' + image: frontend:test9 + imagePullPolicy: IfNotPresent + livenessProbe: + exec: + command: + - wget + - -q + - -S + - -O + - '-' + - http://localhost:3000/apis/v1beta1/healthz + initialDelaySeconds: 3 + periodSeconds: 5 + timeoutSeconds: 2 + name: ds-pipeline-ui + ports: + - containerPort: 3000 + protocol: TCP + readinessProbe: + exec: + command: + - wget + - -q + - -S + - -O + - '-' + - http://localhost:3000/apis/v1beta1/healthz + initialDelaySeconds: 3 + periodSeconds: 5 + timeoutSeconds: 2 + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 256Mi + volumeMounts: + - mountPath: /etc/config + name: config-volume + readOnly: true + - name: oauth-proxy + args: + - --https-address=:8443 + - --provider=openshift + - --openshift-service-account=ds-pipeline-ui-testdsp9 + - --upstream=http://localhost:3000 + - --tls-cert=/etc/tls/private/tls.crt + - --tls-key=/etc/tls/private/tls.key + - --cookie-secret=SECRET + - '--openshift-delegate-urls={"/": {"group":"route.openshift.io","resource":"routes","verb":"get","name":"ds-pipeline-ui-testdsp9","namespace":"default"}}' + - '--openshift-sar={"namespace":"default","resource":"routes","resourceName":"ds-pipeline-ui-testdsp9","verb":"get","resourceAPIGroup":"route.openshift.io"}' + - --skip-auth-regex='(^/metrics|^/apis/v1beta1/healthz)' + image: oauth-proxy:test9 + ports: + - containerPort: 8443 + name: https + protocol: TCP + livenessProbe: + httpGet: + path: /oauth/healthz + port: 8443 + scheme: HTTPS + initialDelaySeconds: 30 + timeoutSeconds: 1 + periodSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /oauth/healthz + port: 8443 + scheme: HTTPS + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 5 + successThreshold: 1 + failureThreshold: 3 + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 100m + memory: 256Mi + volumeMounts: + - mountPath: /etc/tls/private + name: proxy-tls + serviceAccountName: ds-pipeline-ui-testdsp9 + volumes: + - configMap: + name: ds-pipeline-ui-configmap-testdsp9 + defaultMode: 420 + name: config-volume + - name: proxy-tls + secret: + secretName: ds-pipelines-ui-proxy-tls-testdsp9 + defaultMode: 420 diff --git a/controllers/testdata/declarative/case_9/expected/created/persistence-agent_deployment.yaml b/controllers/testdata/declarative/case_9/expected/created/persistence-agent_deployment.yaml new file mode 100644 index 000000000..46d622e32 --- /dev/null +++ b/controllers/testdata/declarative/case_9/expected/created/persistence-agent_deployment.yaml @@ -0,0 +1,89 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ds-pipeline-persistenceagent-testdsp9 + namespace: default + labels: + app: ds-pipeline-persistenceagent-testdsp9 + component: data-science-pipelines + dspa: testdsp9 +spec: + selector: + matchLabels: + app: ds-pipeline-persistenceagent-testdsp9 + component: data-science-pipelines + dspa: testdsp9 + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + labels: + app: ds-pipeline-persistenceagent-testdsp9 + component: data-science-pipelines + dspa: testdsp9 + spec: + containers: + - env: + - name: NAMESPACE + value: "default" + - name: TTL_SECONDS_AFTER_WORKFLOW_FINISH + value: "86400" + - name: NUM_WORKERS + value: "2" + - name: KUBEFLOW_USERID_HEADER + value: kubeflow-userid + - name: KUBEFLOW_USERID_PREFIX + value: "" + - name: EXECUTIONTYPE + value: Workflow + image: persistenceagent:test9 + imagePullPolicy: IfNotPresent + name: ds-pipeline-persistenceagent + command: + - persistence_agent + - "--logtostderr=true" + - "--ttlSecondsAfterWorkflowFinish=86400" + - "--numWorker=5" + - "--mlPipelineAPIServerName=ds-pipeline-testdsp9" + - "--namespace=testdsp9" + - "--mlPipelineServiceHttpPort=8888" + - "--mlPipelineServiceGRPCPort=8887" + livenessProbe: + exec: + command: + - test + - -x + - persistence_agent + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 2 + readinessProbe: + exec: + command: + - test + - -x + - persistence_agent + initialDelaySeconds: 3 + periodSeconds: 5 + timeoutSeconds: 2 + resources: + requests: + cpu: 120m + memory: 500Mi + limits: + cpu: 250m + memory: 1Gi + volumeMounts: + - mountPath: /var/run/secrets/kubeflow/tokens/persistenceagent-sa-token + name: persistenceagent-sa-token + subPath: ds-pipeline-persistenceagent-testdsp9-token + serviceAccountName: ds-pipeline-persistenceagent-testdsp9 + volumes: + - name: persistenceagent-sa-token + projected: + sources: + - serviceAccountToken: + audience: pipelines.kubeflow.org + expirationSeconds: 3600 + path: ds-pipeline-persistenceagent-testdsp9-token + defaultMode: 420 diff --git a/tests/resources/dspa-external-lite.yaml b/tests/resources/dspa-external-lite.yaml index a86e2a7d4..03d19be43 100644 --- a/tests/resources/dspa-external-lite.yaml +++ b/tests/resources/dspa-external-lite.yaml @@ -4,6 +4,7 @@ metadata: name: dspa-ext spec: dspVersion: v2 + interPodTLS: false apiServer: deploy: true enableOauth: false diff --git a/tests/resources/dspa-lite.yaml b/tests/resources/dspa-lite.yaml index 531b353cb..b8ded38d3 100644 --- a/tests/resources/dspa-lite.yaml +++ b/tests/resources/dspa-lite.yaml @@ -4,6 +4,7 @@ metadata: name: test-dspa spec: dspVersion: v2 + interPodTLS: false apiServer: deploy: true enableOauth: false